Return-oriented programming (ROP) exploits are an increasingly common form of malicious software (malware) that may circumvent certain defenses that mark locations of memory as non-executable. An ROP exploit works by stringing together a large number of existing segments of executable code that each end with a “return” instruction (known as gadgets). Each ROP gadget is typically short, and typically does not correspond to an existing procedure or even an existing instruction boundary in the executable code. The attacker constructs a malicious stack including a series of return addresses pointing to the desired sequence of gadgets. The ROP exploit is performed by causing the processor of the computer to execute software using the malicious stack instead of the legitimate system stack. For example, the malicious stack may be introduced by smashing the stack, using a buffer overflow exploit, pivoting to a new stack, or otherwise corrupting the system stack. Jump-oriented programming (JOP) exploits are similar, but target gadgets that end with an indirect jump instruction rather than a return instruction.
Advanced code-reuse attacks may not necessarily rely on return or jump instructions. Instead, certain advanced code-reuse attacks may use valid function entry points that could be indirectly called to launch attacks. Such code-reuse attacks may include call-oriented programming (COP), counterfeit object-oriented programming (COOP), or loop oriented programming (LOP). Those attacks may bypass defense techniques such as coarse grained control-flow integrity, control flow enforcement, or control flow guard.